With a Worm Looming, the BlueKeep Bug Isn’t Getting Patched Fast Enough

At this rate, it will take years to fix a critical vulnerability that remains in over 900,000 Windows machines. A worm will arrive much sooner.
Worms crawling out of a computer
"Once there's a worm, it will cleanse the internet of these vulnerable machines. It will just burn like fire," says security researcher Rob Graham.Elena Lacey; Getty Images

Two weeks have passed since Microsoft warned users about a critical vulnerability in a common Windows protocol that could enable a hacker to remotely take over machines without even a click from their owners, potentially allowing an infectious worm to rip through millions of PCs. That bug might be fading from the headlines, but it still lingers in at least 900,000 computers. And that vulnerable herd is getting Microsoft's patch at a glacial pace—as a wave of contagion that will likely soon hit all of them looms.

BlueKeep, as the bug has come to be known, is a hackable vulnerability in Microsoft’s Remote Desktop Protocol, or RDP, that affects Windows 7 and earlier as well as older versions of Windows Server. The insecure code was spotted and reported by the UK's National Cybersecurity Center, and Microsoft released a patch on May 14. BlueKeep is so serious—rating 9.8 out of 10 in severity, according to Microsoft—that the company even pushed out a rare patch for Windows XP, which it doesn't otherwise support. Microsoft's director of security incident response compared the potential fallout to WannaCry, the North Korean ransomware worm that caused up to $8 billion in damage when it rampaged across the internet in 2017.

And yet the digital world has been slow to defend itself. When security researcher Rob Graham scanned the entire public internet for BlueKeep-vulnerable machines on Monday, using a tool he built, he found that 923,671 machines hadn't been patched, and were thus still exposed to any potential worm. When he ran the same scan on Wednesday evening at WIRED's request, he found that the number of vulnerable machines had dropped only slightly, to 922,225.

In other words, just a thousand machines appear to have been patched in 48 hours. If that very roughly estimated rate were to continue—and it’s just as likely to slow further over time, as the initial alarm around BlueKeep wanes—it would take 10 years for all the remaining vulnerable machines to be patched.

Countdown to Exploitation

Graham and other security industry observers expect a public BlueKeep hacking tool and a resulting worm to appear much, much sooner, potentially within days or weeks. "A worm will happen before these systems get patched," says Graham, CEO of consulting firm Errata Security. In fact, he expects that only the appearance of that worm will substantially change the patching rate for the computers he's scanning. "Once there's a worm, it will cleanse the internet of these vulnerable machines. It will just burn like fire."

Graham notes that the 922,225 unpatched machines identified by his scan aren't the only ones in BlueKeep's potential blast radius. Many of the machines he scanned were unresponsive to his automated RDP request, which could mean the computer was simply busy responding to one of the many other scans that hackers and security are performing, rather than indicating that it’s patched. And he notes that his scans can't see computers behind corporate firewalls. While those firewalled networks are largely protected from BlueKeep, any stray corporate machine outside the firewall could act as an entry point to the wider corporate network, allowing a worm to steal credentials that it could use to access other machines across the company, as the Russian NotPetya worm did in its record-breaking spree nearly two years ago. "One unpatched machine might lead to a mass compromise," Graham says.

Given that potential for a wide-scale digital catastrophe, security researchers are counting down the days until someone publicly releases a working "exploit" for the BlueKeep vulnerability—a tool that can reliably take advantage of the bug to hijack an unpatched machine. For now, only partial BlueKeep exploits have been published on public platforms like GitHub; they’re capable of crashing target computers but not running the hacker's code on them. But that so-called "remote code execution," or RCE, exploit is coming, says Graham. "It could be posted right now while we’re talking, or two months from now."

The Journey From Bug to Worm

In the meantime, full RCE exploits for BlueKeep are no doubt being passed around more privately—and likely used for stealthy intrusions. Zerodium, one firm that buys and sells hacking tools, boasted within just a day of Microsoft's BlueKeep announcement that it had "confirmed exploitability." Security firm McAfee confirmed that it, too, has developed a full exploit for BlueKeep, and published a video (below) in which it uses the BlueKeep attack to run Windows' Calculator program on a target machine as proof of remote code execution.

[#video: https://www.youtube.com/embed/jHfo6XA6Tts

Steve Povolny, McAfee's head of advanced threat research, argues that getting a full exploit working isn't something just any hacker can do. "Technical hurdles to exploitation involve leveraging a set of unique skills to trigger the bug, handle the crash and pivot to code execution while avoiding any security mitigations in place," he wrote in an email. "Even achieving the initial crash … was more challenging than expected. Getting RCE requires an even deeper understanding of the protocol and how the underlying system works."

But security researcher Marcus Hutchins, who gained fame for identifying the "kill switch" in the WannaCry worm, counters that he was able to develop his own RCE exploit for the BlueKeep bug in about a week of full-time work—albeit only for XP so far. Most of those days, he says, were spent on the tedious task of implementing Microsoft's RDP protocol in his program rather than figuring out how to break it. "I found the packet necessary to trigger the vulnerability within hours," Hutchins says. "It was a pretty quick job."

That means plenty of others have almost certainly developed exploits, too—some of whom likely have more nefarious intentions than defensive research. "It would be silly to think there aren’t a fair number of people who have RCE," Hutchins says. "Most of the people who have it aren’t going to want to advertise that."

Hutchins expects that at first BlueKeep will be quietly used in targeted attacks on corporate or government networks, likely by active ransomware gangs like Gandcrab, Ryuk, or LockerGoga. "A small number of high value targets can be more profitable than a lot of low value ones," he says. Only after criminals begin to sell their BlueKeep exploits more widely on underground forums is one likely to end up on a public platform, where someone might integrate it into a fully automated worm.

'Really Do Patch'

That countdown to disaster raises the question: Why aren't the 900,000-plus machines vulnerable to BlueKeep being patched? Some, says Rob Graham, are probably old and forgotten servers without important data, gathering dust in a data center. But others are likely corporate machines with sensitive data, at organizations that simply don't patch reliably. Patching, after all, takes expensive man-hours, and it can break some older software that hasn't been developed to work with newer systems. "Many orgs have no capacity to patch unless it's part of incident response—as in, they are already under attack or compromised," says Katie Moussouris, the founder and CEO of Luta Security and a well-known expert in vulnerability management. "There's a pervasive myth that most organizations have basic processes for vulnerability management set up and documented, but that simply isn't the case in practice at most places."

If any vulnerability demands a departure from that lackadaisical approach, McAfee's Steve Povolny says that BlueKeep is it. "RDP stands for Really DO Patch," he writes. "We’ve all had the pain, but also the unique benefit as an industry, of being exposed to critical and wormable vulnerabilities via WannaCry. This vulnerability should prompt a close investigation and inventory of both legacy systems and legacy network protocols; the former of which has had ample time to be updated. Applying the patch, along with a comprehensive testing/validation strategy, is the only guaranteed solution for this vulnerability at the time."

You can find out if your computer is running RDP and might be vulnerable here, and download Microsoft's patch for BlueKeep here.


More Great WIRED Stories